±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35765
New Yesterday: 3 Visitors: 184

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

X-Ways WinHex Templates - Deleted Files Timeline

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3, 4  Next 
  

rhall47
Member
 

X-Ways WinHex Templates - Deleted Files Timeline

Post Posted: Feb 01, 11 23:25

I'm currently using X-Ways Forensics tool and would like to create a report showing deleted file details in a timeline in order to establish if the suspect deleted the files in an isolated incidence or wether it was a regular action taken by the suspect.

Has anyone used WinHex to produce such an extract or perhaps come across another product that performs the same kind of process.

Many thanks in advance Richard.  
 
  

nitinchfi
Member
 

Re: X-Ways WinHex Templates - Deleted Files Timeline

Post Posted: Sep 29, 11 11:52

- rhall47
I'm currently using X-Ways Forensics tool and would like to create a report showing deleted file details in a timeline in order to establish if the suspect deleted the files in an isolated incidence or wether it was a regular action taken by the suspect.

Has anyone used WinHex to produce such an extract or perhaps come across another product that performs the same kind of process.

Many thanks in advance Richard.


any luck ?
did you tried X-ways forum?
Please update your findings on this.

Thanks  
 
  

Passmark
Senior Member
 

Re: X-Ways WinHex Templates - Deleted Files Timeline

Post Posted: Sep 30, 11 06:41

If the deleted files are found via NTFS MFT (or in recycle bin) then you should get some dates. But if the files are all found via direct carving on the disk then there will be no dates and no timeline possible.  
 
  

liban28
Newbie
 

Re: X-Ways WinHex Templates - Deleted Files Timeline

Post Posted: Sep 30, 11 15:54

Open registry in x-ways and then file export the particular registry that creats registry Report.html.  
 
  

athulin
Senior Member
 

Re: X-Ways WinHex Templates - Deleted Files Timeline

Post Posted: Sep 30, 11 16:36

- rhall47
I'm currently using X-Ways Forensics tool and would like to create a report showing deleted file details in a timeline in order to establish if the suspect deleted the files in an isolated incidence or wether it was a regular action taken by the suspect.


What kind of file system are you looking at?  
 
  

rhall47
Member
 

Re: X-Ways WinHex Templates - Deleted Files Timeline

Post Posted: Oct 10, 11 15:45

Hi Athulin,

I was referring to deleted files under NTFS in this case.  
 
  

athulin
Senior Member
 

Re: X-Ways WinHex Templates - Deleted Files Timeline

Post Posted: Oct 10, 11 17:10

- rhall47
I was referring to deleted files under NTFS in this case.


Look at 'EnScript to parse USNJRNL' on the forensickb blog. That's probably as close as you can come with direct methods.

(Added: Just in case ... I'm not referring to recycled files, but truly deleted -- files that have passed through the DeleteFile() or closely related functions).  
 

Page 1 of 4
Page 1, 2, 3, 4  Next